Skip to content

Security and Resilience in Organizations and their Supply Chains

ATTENTION: This page is intended to be viewed online and may not be printed or copied.

11. Continual Improvement

11.1 General

The organization shall continually improve the effectiveness of the ORMS through the use of the ORMS policy, objectives, audit results, analysis of monitored events, corrective and preventive actions, and management review.

11.2 Nonconformities, Corrective and Preventive Action

The organization shall establish, implement, and maintain procedures for dealing with nonconformities and for taking corrective and preventive action. The procedures shall define requirements for:

  • Identifying and correcting nonconformities and taking actions to mitigate their consequences;

  • Evaluating the need for actions to prevent nonconformities and implementing appropriate actions designed to avoid their occurrence;

  • Investigating nonconformities, determining their root causes, and taking actions in order to avoid their recurrence;

  • Recording the results of corrective and preventive actions taken;

  • Assess how corrective and preventive actions modify risk; and

  • Reviewing the effectiveness of corrective and preventive actions taken.

The organization shall ensure that proposed changes are made to the ORMS documentation.

11.3 Change Management

The organization shall establish a defined and documented change management program to ensure that any internal or external changes that impact the organization are reviewed in relation to the ORMS. It shall identify any new critical activities that need to be included in the ORMS change management program.

11.4 Opportunities for Improvement

The organization shall monitor, evaluate, and exploit opportunities for improvement in ORMS performance and eliminate the causes of potential problems, including:

  • Ongoing monitoring of the operational and risk landscape to identify potential problems and opportunities for improvement;

  • Determining and implementing action needed to improve risk management and security and resilience performance; and

  • Reviewing the effectiveness of the action taken to improve performance.

Actions taken shall be appropriate to the impact of the potential problems, and the organization’s obligations and resource realities.

Top management, in collaboration with key risk stakeholders, shall ensure that actions are taken without undue delay to exploit opportunities for improvement. Where existing arrangements are revised and new arrangements introduced that could impact on the management of risk, operations and activities, the organization shall consider the associated risks before their implementation.

The results of the reviews and actions taken shall be clearly documented and records shall be maintained. Follow-up activities shall include the verification of the actions taken and the reporting of verification results.

Next: Annex A - Introduction, General Requirements, Management System and General Principles

Table of Contents

ORM Standard Home

  • Scope
  • Normative References
  • Terms and Definitions
General Principles
  • Leadership and Vision
  • Governance
  • Factual Basis for Decision Making
  • Outcomes Oriented
  • Needs Oriented Taking Human and Cultural Factors into Account
  • Overall Organizational Risk and Business Management Strategy
  • Systems Approach
  • Adaptablility and Flexibility
  • Managing Uncertainty
  • Cultual Change and Communication

Establishing the Framework

  • General
  • Context of the Organization
  • Needs and Requirements
  • Defining Risk Criteria
  • Scope of the Management System
  • General
  • Management Commitment
  • Policy
  • Organizational Roles, Responsibilities, and Authorities for the ORMS
  • Legal and Other Requirements
  • Risk Assessment
  • Objectives and Plans to Achieve them
  • Actions to Achieve Risk and Business Management Objectives

Structural Requirements

  • General 
  • Organizational Structure
  • Financial and Administrative Procedures
  • Insurance
  • Outsourcing
  • Documented Information

Operation and Implementation

  • Operational Control
  • Resources, Roles, Responsibilities, and Authority
  • Competence, Training, and Awareness
  • Communication
  • Prevention and Management of Undesirable or Disruptive Events

Performance Evaluation

  • General
  • Monitoring and Measurement
  • Evaluation of Compliance
  • Exercises and Testing
  • Internal Audit
  • Management Review

Continual Improvement

  • General
  • Nonconformities, Corrective and Preventative Action
  • Change Management
  • Opportunities for Improvement

Annex B: Examples of Incident Prevention, Preparedness, and Response

Annex C: Examples of Risk Treatment Procedures that Enhance Resilience of the Organization 

Annex D: Business Impact Analysis

Annex E: An Integrated Management Systems Approach

Annex F: Qualifiers to Application

Annex G: Bibliography

Annex H: References